Users can enjoy the benefit of choosing one password to access multiple applications, instead of memorising many different passwords. However, compromise of one authentication event could result in the compromise of all resources that the user has access rights to.

Public Key Infrastructure (PKI) is a widely accepted IT security framework based on 'Public Key Cryptography'. The Hong Kong Government has laid a solid foundation for deployment of PKI through the enactment of the Electronic Transactions Ordinance and the establishment of a public Certification Authority (CA) through the Hongkong Post.

Web applications can provide convenience and efficiency, there are also a number of new security threats, which could potentially pose significant risks to an organisation's information technology infrastructure if not handled properly.

As more and more software vulnerabilities are discovered and therefore need updates and patches, it is essential that system administrators manage the patching process in a systematic and controlled way. Successful patch management requires a robust and systematic process.

Virutal Private Network (VPN) security is an increasing demand nowadays to connect to internal networks from distant locations. Employees often need to connect to internal private networks over the Internet (which is by nature insecure) from home, hotels, airports or from other external networks.

This involves the development of a Business Continuity Plan (BCP) designed to ensure the recovery of critical business activities from natural or man-made failures or disasters to an acceptable level within a predefined time frame, thereby minimizing the impact of losses to the organisation. Implementing a BCP is essential for every business.

To contain the problem of unsolicited electronic messages, the Unsolicited Electronic Messages Ordinance ('UEMO') and the Unsolicited Electronic Messages Regulation ('UEMR') have been enacted in 2007. The UEMO regulates the sending of 'commercial electronic messages' with a 'Hong Kong link'.

Security training is crucial to ensuring that all related parties understand the security risks, and accept and adopt good security practices. No protection procedure is effective without proper execution by well-trained staff. You must ensure that your staff possess the necessary skill sets.

A backup is a representative copy of data at a specific time. The phrase 'backup and recovery' usually refers to the transfer of copied files from one location to another, along with the various operations performed on those files.

The security management cycle starts with an assessment of the security risks. Security Risk Assessment is done to identify what security measures are required. It is the initial step in evaluating and identifying the risks and consequences associated with vulnerabilities, and provides a basis for management to establish a cost-effective security program.

Following the results obtained from your security risk assessment, the security management cycle enters a phase of implementation and maintenance, where appropriate security protection measures and safeguards are implemented in a way that builds a secure protection framework. This includes developing security policies and guidelines, assigning security responsibilities and implementing technical and administrative security measures. All these steps are crucial in contributing to the safeguards of your business assets.

After reviewing the results of security risk assessment, safeguards will be identified and evaluated for their effectiveness in reducing the likelihood and impact of identified threats and vulnerabilities to an acceptable level.

DDoS attack attempts to consume both network bandwidth and server resources of the targeted organisation. Large scale DDoS attack is often performed by botnets which can co-opt numerous infected computers, which usually spreading across different points around the world, to unwittingly participate in the attack.

Low deployment costs make wireless networks attractive to both organisations and end users. However, the easy availability of inexpensive equipment also gives attackers the tools to launch attacks on the network. New security risks come with the benefits of adopting wireless networks.

To help organisations understand at what point in their wireless network deployments a recommended security best practice might be relevant, we outline here a five-phase lifecycle model for network deployment and point out security issues that need special attention.

DNS has no built-in security feature and DNS data could be tampered. If the DNS response is tampered, a user might be redirected to a malicious website. To protect from falling victim to DNS threats, measures at different levels could be adopted.

The popular tools and technologies of modern daily life, like mobile phones, webmail, instant messaging services, removable storage media, and wireless access to the Internet, have given everyone the ability to easily carry and handle large amounts of data.

When any IT operation of an organisation is contracted out, the external service provider (or the outsourcing vendor) may effectively become an “insider”, handling sensitive and important information for the company.

An Information Security Incident is an adverse event in an information system and/or a network that poses a threat to computer or network security in respect of availability, integrity and confidentiality.

Given that attackers are now moving away from attacks that are merely a nuisance or destructive towards activity that is motivated by financial gain, malicious code attacks have become more sophisticated and a significant concern to organisations.

Electronic authentication (e-Authentication) is the process of establishing confidence in user identities presented electronically to an information system. This may involve verifying with “what the user knows”, “what the user has”, and/or “what the user is or does”. The greater the number of factors being verified, the higher the confidence can be established.

Encryption is a process for scrambling and transforming data from an easily readable and understandable format (such as Plain Text) into an unintelligible format that seems to be useless and not readily understandable (known as Cipher Text).

From time to time, software bugs are discovered in applications running on your PC. Software vendors will then release one or more 'patches' to fix the weaknesses. At the same time, hackers can take advantage of these weaknesses to attack the unpatched PCs.

Malicious code refers to computer viruses, worms, spyware, Trojan Horses and other undesirable software. Attack made by using such software is to cause disruption either by deleting files, sending emails, or rendering the host system inoperable.

Identity theft is a criminal act of getting hold of personal data of others without their knowledge or permission with an intent to defraud. The personal data is used by identity thieves to impersonate the data subjects for fraudulent purposes.

Ransomware is a malicious software that cyber criminals used to lock the files stored on the infected computer devices. These locked files are like hostage and the victims are required to follow the instructions of this malicious software and pay a ransom to unlock them.

The use of computer, the Internet and telecommunication or information devices has brought us much convenience in all kinds of our daily pursuits, from learning, leisure, personal communication to conducting business activities. However, at the same time, the convenience of this virtual space has created a great potential for abuse by criminals.